To encrypt dns or not?

I'm trying to decide whether or not to encrypt my DNS, if it's worth the performance hit.

I have a bind9 recursive caching server running on my local net on an Ubuntu 20.04 server. It forwards queries that are not in cache to my nameserver running in a tier-1 data centre.

The nameserver in the data centre will forward queries not in cache first to 1.1.1.1 and then try to resolve them recursively if not found.

In terms of privacy, the IP of my cloud server just resolves to an anonymized domain anyway, so cloudflare doesn't know anything about me.

My openwrt box uses the dns server on my local net as it's "upstream" resolver.

I am somwhat concerned about the possibility of snooping from my ISP on my dns traffic running from my network to my cloud vm. I'm not sure if I should be concerned or if I am just being paranoid.

I have a wireguard tunnel already running between my openwrt box and the cloud VM, so I could just have my local nameserver forward dns queries to the private ip on the remote end of the vpn tunnel instead of to the public ip.

The real question: is the security I gain by sending the dns traffic over the wireguard tunnel worth the performance hit?

Interested to hear your opinions on whether this security vs performance tradeoff is worth it, or if I'm just being overly paranoid about the security.

Network performance wise, you'd be trading UDP for a multi-part TCP handshake and response, with everything that comes with it (penalty wise), plus the additional overhead. Would it be even measurable? Probably not.

The question is going to be 1) Who you trust and 2) To what extent.

You're tunneling out to the OPE using WG, so your ISP can't see any of that traffic (including UDP port 53 requests). Anyone between your Datacenter connection and CloudFlare will see it, unless you use the DoH, but at that point, you said you'd be covered privacy wise at the datacenter.

So, your exposure will be between the DC and CloudFlare. That might help you decide if your being paranoid or not (enough).

I could be totally paranoid - setup my local server as a recursive-only one and the data centre server likewise. Eliminate forwarding completely.

Then use dnsmasq to forward to both local and data centre nameservers for redundancy, with the "all-servers" option set in /etc/dnsmasq.conf so it queries both at the same time and gives out the fastest response.

This way, no forwarding at all + encryption between the router and the data centre. Of course, I lose out on the big cache that cloudflare has. Not sure in practise how much difference this will make. I'll have to test it. But that's about as private as a dns setup could get.

Cloudflare have a well-defined and clear privacy policy on their dns that is very consumer friendly, unlike Google for example. I would trust them a lot more than Google or my ISP.

See here: https://blog.cloudflare.com/announcing-1111/

  1. There is no real performance hit encrypting DNS traffic. Neither in terms of system ressource usage nor in terms of traffic/overhead. But you will see/feel a hit/"lag" as soon if you enable DNSSEC (simply more traffic and ntp involved).

  2. "Security" wise:
    It is wrong to think that cloudflare does not know anything about you. A lot of sites in the www are running cloudflare services like their DDos protection service. Same is valid for google (google analytics) and facebook (like button). So this companies (and a lot others) tracking you through the whole internet (by IP, Browser footprints (ip leak through webrtc), Device-"ID's") and know what sites you are visiting (without using their DNS Services) and beside what your OS and your Apps are tracking already and the companies sharing among each other. It is almost impossible to avoid tracking comming from the big tech companies. The Cloudflare rules you are quoted are valid for their DNS service only and not for other services they offer to companies you are not involved directly! Most important thing using a VPN is to avoid DNS leaks. And keep in mind that there are a lot devices/apps in the wild using hardcoded dns nowdays. DOH is incoming also. Avoid them.

For paranoia you have to think about what kind of "private" traffic it is worth/needed to split from other "casual" traffic and what your understanding from privacy/security/anonymity is (see above about tracking due to big tech's). It is not a good idea to run all traffic with any devices through a/one VPN for security or privacy or anonymity. Start logging your whole traffic to decide. :wink:

Well, there's a latency hit, so query resolution takes longer. A few milliseconds on top of a query that only takes a few milliseconds is a hit that adds up and degrades the overall experience.

Enabled already long ago :slight_smile:

Agreed. I think no commercial organization is altruistic. Some are better, some are worse and your private data is currency.

Some of the tracking is impossible to avoid, absolutely. But I do try. I run ad blockers, I run cookie auto-delete addons, ghostery-style tracker blockers, VPNs that direct certain websites through the tunnel connected to my data centre VM, etc. etc. I deleted my facebook long ago and I never log into a website using my credentials from another one. The list is endless...

DNS is just one vector of privacy that I'm concerned about at the moment, mainly because UK ISPs snoop on their users at the behest of government, and I just have a problem in principle with that.

So I tackle each one of the privacy issues in turn. Right now, I'm just trying to get the best trade off between dns privacy and decent performance. Security is always a tradeoff

Been doing so for a few years already. I have my openwrt box running softflowd and exporting flows to an ELK stack running Elastiflow.

The system logs all go to Graylog on the same elasticsearch node, as do the logs from a snort instance and there I have a whole bunch of dashboards setup to slice and dice firewall logs, snort logs and systemr logs to show me what's going on...below is part of one of the firewall dashboards

The latency hit only comes on the first time you resolve a domain... after that you have caching, at least for however long the caching lasts... which is usually minutes if not hours.

Sure....but it's a private server, so it won't keep stuff in cache nearly as much as a public server like Cloudflare, and therefore the percentage of cache misses will surely be much higher...so a higher percentage of cache misses on a larger number of queries and the latency will add up.

I guess I can probably really only resolve the question by doing a fair bit of benchmarking with different configurations. Been doing some already and it seems that the encryption doesn't degrade things as much as I thought it might.